This is a very technical post so it will only be of interest if you are involved in managing a website hosted OUTSIDE of the Falkland Islands that uses a .fk based domain. This includes www.falklands.gov.fk. If that is the case, when the Falkland Islands’ Internet is down (as it was on the 30th April 2019) then that site will not be accessible. There are also implications for Falkland Islands’ email services as well.
Update 4th May 2019
I have been told by a C&W guy in the UK that prior to the acquision of the Falkland Islands C&W ‘branch’ by Sure, the .fk name servers were mirrored on the C&W backbone network in Germany. I’m pleased to hear that so this is an issue arising from the change of ownership.
Update 2nd May 2019
This was received form a colleague so why don’t Sure Falkland Islands do the same?
Regarding the DNS setup for the .fk domain, there are indeed only two NS servers for the .fk zone (https://www.iana.org/domains/root/db/fk.html) which are both on the same AS network and even in the same IP subnet which constitutes gross negligence of the basic principles of the DNS system in that there’s no geographical and not topological distribution but the entire zone hinges on two servers in Stanley attached to the same router and uplink.
In contrast the .sh and .ac domains are run by a UK company called Internet Computer Bureau (http://www.icb.co.uk/) which operate six distributed NS servers (none of them on the islands) to manage these two zones: https://www.iana.org/domains/root/db/sh.html
When I posted the 30-04-2019 news item talking about the early morning island-wide outage, I stated that I could not connect with any Falkland Islands’ based web sites. With a complete Internet connectivity outage this would be expected.
One of the non-accessible ites during the Falkland Islands Internet outage.
However, in my original posting, I showed an image of one site that I could not connect to – www.regulatorfi.org.fk.
I was then told in a comment made on the posting:
“regulatorfi.org.fk is not hosted on the island, so it must have been a different error you saw there.”
This really intrigued me and made me ask why I could not get DNS resolution to a site not based on the islands? Surely, the whole point of NOT hosting in the islands was to get a markedly Improved performance over a physically hosted on the islands and for it to be accessible at all times?
What is DNS?
For those that are not familiar with what DNS is let me quote from Wikipedia:
“The Domain Name System (DNS) is a decentralized naming system for computers, services, or other resources connected to the Internet. It translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services.”
An Internet user would type in the web site’s name into a browser such as www.falklands.gov.fk. Your browser would then access the DNS servers specified in your PC to look up that name in the DNS database to provide the IP address of 188.8.131.52. Then your browser is able to connect you to the web site.
Using Ping Plotter, it can been seen in the picture below, that the maximum delay from my PC to the www.falklands.gov.fk website is around 130mS not the 850mS it would take if it was hosted in the Falkland Islands. Clearly a decision has clearly been made to host the www.falklands.gov.fk site in the USA to improve a user’s experience.
www.falklands.gov.fk is hosted in the USA
Why couldn’t I access www.falklands.gov.fk from the UK when the Falkland Islands’ Internet was down?
Surely, any business or government organisation with a website hosted outside of the Falkland Islands would want their non-Falkland Island users to be able to access their site even if the Internet in the Falkland Islands was down? There is clearly a problem here.
To be clear, if the website is NOT located in the Falkland Islands and does NOT use the ‘.fk’ domain extension but another such as ‘.com’, THERE IS NO ISSUE.
But, if the website is NOT located in the Falkland Islands and uses a ‘.fk’ domain such as ‘co.fk’ or ‘.gov.fk’ for example, there IS a significant issue. Let me explain why.
When a web site is created and given a name, the website developer provides the Name Server IP address translation to use for DNS lookups. This can be seen in the picture below for www.falklands.gov.fk.
Data created by squish.com
The DNS request was 50% answered by ns1.horizon.net.fk and 50% by ns2.horizon.net.fk WHICH ARE HOSTED IN THE FALKLAND ISLANDS! So if the Internet link to the Falkland Islands is down, it is likely that non-Falkland Islands’ users will not be able to get to the web site if the .fk URL is not in the DNS cache the user is accessing. Note: This has been wrongly configured as the address and its backup are the same! This should never be the case.
Another website that suffers from the issue outlined here is www.regulatorfi.org.fk. Again, the IP addrress and its backup are the same which is bad practice.
Data created by squish.com
Also notice that the main and the backup are pointing to the same IP address.
What are the consequences on the .fk DNS issue?
- Even though the www.falklands.gov.fk website is hosted in the USA, when there is high congestion on the Falkland Islands’ satellite link or when the Falkland Islands’ Internet is down, anybody outside of the Falkland Islands would probably not be able to access the website.
- Even though DNS servers are distributed world-wide, they do not hold every Internet website URL address as there are too many. Rather they ‘cache’ the most commonly used URLs used by their users. So, it maybe that the falklands.gov.fk is cached in the chosen DNS server but most likely not. If it was in the cache the user would be connected to the website; if not a ‘Website not found’ error would be displayed in the browser.
- The country code top-level domain ‘.fk’ name servers should NOT BE only hosted in the Falkland Islands but also mirrored in multiple locations such as the in UK and USA. This would mean that a non-Falkland Islands’ hosted ‘.fk’ website could be accessed by anyone outside of the Falkland Islands even in worst-case satellite congestion or in a Falkland Islands’ Internet outage such as experienced on the 30-04-2019.
- Why should should all DNS requests that are not cached in international DNS servers come back the the Falkland Islands over the satellite link? This just adds to the congestion on both the up- and down-stream links and increases access time to websites.
Recommendation for organisations:
If you are hosting your website outside of the Falkland Islands AND using a .fk domain, then you need to talk to whoever is responsible for hosting .fk addresses as a matter of urgency to get this situation resolved. As I understand it, the management of the .fk domain has been subcontracted to Sure South Atlantic by the Falkland Islands Communications Regulator. The alternative is to change to a .com based website URL of course!
Recommendation for SURE south atlantic:
THE .fk DATABASE NEEDS TO BE HOSTED IN MULTIPLE COUNTRIES TO AVOID THE ISSUES DESCRIBED IN THIS POST. The need to do this goes way beyond what can be called ‘industry best practice’ and is mandatory for any country I would have thought.
An ideal loction would be Sure Guernsey where I’m sure they would host a mirror for free?
Addendum: Possible DNS email issues.
If the Falkland Islands Internet link is down or there is high congestion, there will be an issue with emails as well. This is probably of higher importance than the issues discussed in this post. If an international email sender sends a message to email@example.com and the DNS lookup fails in the same way as described earlier, the mail server has two possible options:
- The mail server used by the sender triggers an immediate delivery failure and the sender receives a bounce notification with an error message, or
- The mail server used by the sender recognises a temporary problem and will queue the message for later delivery. Depending on how quickly the issue is resolved the message will reach its intended recipient or the queue will time out and the sender gets a delayed bounce message.
What actually happens is a rather indeterminate in practice as there are no hard and fast rules in place but put it this way, emails can certainly be lost through bouncing. This is probably a higher priority reason for Sure South Atlantic to mirror the .fk DNS server in Sure Guernsey’s datacentre.
Chris Gare, May 2019 Copyright: OpenFalklands.com